Uber reveals more on recent hack, says Lapsus$ is to blame

Uber has shared more details on its recent data breach, sharing details on how it happened, what the impact was, and who it thinks was (most likely) to blame.

In a security update (opens in new tab), Uber said a threat actor purchased an Uber EXT contractor’s login credentials from the dark web, and managed to log into the account after the contractor accepted a two-factor login request from the secondary endpoint. 

From there, the attacker accessed “several other employee accounts” (Uber does not go into details on how this happened), which gave them elevated permissions to a couple of tools, including Google Workspace and Slack. 

Slack and invoices

Although the group is yet to take responsibility for the attack, Uber has laid the blame on Lapsus$, a known extortion group that’s previously breached the likes of Microsoft, Cisco, Samsung, Nvidia, and Okta.

Uber claims that the impact of the attack was limited, as while the attacker accessed several internal systems, they weren’t able to access production systems that power Uber’s apps. User accounts were safe, as well as the database holding sensitive user information (credit card numbers, bank account info, trip history). Even if the attacker managed to access credit card data or personal health data, this data is encrypted, the company says.

Furthermore, the attackers made no changes to Uber’s codebase. Customer and user data stored by cloud providers was not tampered with, either. However, internal Slack messages, as well as data from a tool used to manage invoices, have been taken. 

When news of the data breach first broke, security researchers and the media were focused on the fact that the attackers accessed Uber’s dashboard at HackerOne, as that would give them insights into various vulnerabilities the company has, possibly including those that are yet to be fixed. 

When news of the data breach first broke, security researchers and the media were focused on the fact that the attackers accessed Uber’s dashboard at HackerOne, as that would give them insights into various vulnerabilities the company has, possibly including those that are yet to be fixed. 

That would open the doors for a number of different cyberattacks. However, Uber now says any bug reports the attackers accessed have been fixed.